nocebo/diaspora
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Fixed possible XSS; escape comment text in report helper

Browse source
This commit is contained in:
Lukas Matt 2014-04-28 10:01:44 -04:00
parent 7ef802127e
commit 462a7116de
1 changed files with 3 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
app/helpers/report_helper.rb
View file

@ -8,7 +8,9 @@ module ReportHelper
when 'post' when 'post'
t('report.post_label', title: link_to(post_page_title(Post.find_by_id(id)), post_path(id))) t('report.post_label', title: link_to(post_page_title(Post.find_by_id(id)), post_path(id)))
when 'comment' when 'comment'
t('report.comment_label', data: comment_message(Comment.find_by_id(id))) # comment_message is not html_safe. To prevent
# cross-site-scripting we have to escape html
t('report.comment_label', data: h(comment_message(Comment.find_by_id(id))))
end end
end end
end end